File 0001-sshkey-expose-openssl-EVP_PKEY-to-sshkey-conversion-.patch of Package openssh

From 552146fa469eb600cab901644a4a6204c4b1e576 Mon Sep 17 00:00:00 2001
From: James Bottomley <James.Bottomley@HansenPartnership.com>
Date: Mon, 25 May 2020 10:46:02 -0700
Subject: [PATCH 1/3] sshkey: expose openssl EVP_PKEY to sshkey conversion
 routine.

Break a new function, sshkey_openssl_private_key(), out of
sshkey_parse_private_pem_fileblob() which will be used with engine
keys that have no internal private key.  Add an external flag, which
disables any private key component checking and sets SSHKEY_FLAG_EXT
on the sshkey.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
 sshkey.c | 87 ++++++++++++++++++++++++++++++++------------------------
 sshkey.h |  5 ++++
 2 files changed, 55 insertions(+), 37 deletions(-)

diff --git a/sshkey.c b/sshkey.c
index ac451f1a8..f9ce55044 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -4525,47 +4525,18 @@ pem_passphrase_cb(char *buf, int size, int rwflag, void *u)
 	return (int)len;
 }
 
-static int
-sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
-    const char *passphrase, struct sshkey **keyp)
+int
+sshkey_openssl_private_key(int type, EVP_PKEY *pk, struct sshkey **keyp,
+			   int external)
 {
-	EVP_PKEY *pk = NULL;
 	struct sshkey *prv = NULL;
-	BIO *bio = NULL;
 	int r;
 
-	if (keyp != NULL)
-		*keyp = NULL;
-
-	if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX)
-		return SSH_ERR_ALLOC_FAIL;
-	if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) !=
-	    (int)sshbuf_len(blob)) {
-		r = SSH_ERR_ALLOC_FAIL;
-		goto out;
-	}
-
-	clear_libcrypto_errors();
-	if ((pk = PEM_read_bio_PrivateKey(bio, NULL, pem_passphrase_cb,
-	    (char *)passphrase)) == NULL) {
-	       /*
-		* libcrypto may return various ASN.1 errors when attempting
-		* to parse a key with an incorrect passphrase.
-		* Treat all format errors as "incorrect passphrase" if a
-		* passphrase was supplied.
-		*/
-		if (passphrase != NULL && *passphrase != '\0')
-			r = SSH_ERR_KEY_WRONG_PASSPHRASE;
-		else
-			r = convert_libcrypto_error();
-		goto out;
-	}
 	if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA &&
 	    (type == KEY_UNSPEC || type == KEY_RSA)) {
-		if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
-			r = SSH_ERR_ALLOC_FAIL;
-			goto out;
-		}
+		if ((prv = sshkey_new(KEY_UNSPEC)) == NULL)
+			return SSH_ERR_ALLOC_FAIL;
+
 		prv->rsa = EVP_PKEY_get1_RSA(pk);
 		prv->type = KEY_RSA;
 #ifdef DEBUG_PK
@@ -4602,7 +4573,8 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
 		    sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL ||
 		    sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa),
 		    EC_KEY_get0_public_key(prv->ecdsa)) != 0 ||
-		    sshkey_ec_validate_private(prv->ecdsa) != 0) {
+		    (!external &&
+		     sshkey_ec_validate_private(prv->ecdsa) != 0)) {
 			r = SSH_ERR_INVALID_FORMAT;
 			goto out;
 		}
@@ -4615,15 +4587,56 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
 		r = SSH_ERR_INVALID_FORMAT;
 		goto out;
 	}
+	if (external)
+		prv->flags |= SSHKEY_FLAG_EXT;
 	r = 0;
 	if (keyp != NULL) {
 		*keyp = prv;
 		prv = NULL;
 	}
+ out:
+	sshkey_free(prv);
+	return r;
+}
+
+static int
+sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
+    const char *passphrase, struct sshkey **keyp)
+{
+	EVP_PKEY *pk = NULL;
+	BIO *bio = NULL;
+	int r;
+
+	if (keyp != NULL)
+		*keyp = NULL;
+
+	if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX)
+		return SSH_ERR_ALLOC_FAIL;
+	if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) !=
+	    (int)sshbuf_len(blob)) {
+		r = SSH_ERR_ALLOC_FAIL;
+		goto out;
+	}
+
+	clear_libcrypto_errors();
+	if ((pk = PEM_read_bio_PrivateKey(bio, NULL, pem_passphrase_cb,
+	    (char *)passphrase)) == NULL) {
+	       /*
+		* libcrypto may return various ASN.1 errors when attempting
+		* to parse a key with an incorrect passphrase.
+		* Treat all format errors as "incorrect passphrase" if a
+		* passphrase was supplied.
+		*/
+		if (passphrase != NULL && *passphrase != '\0')
+			r = SSH_ERR_KEY_WRONG_PASSPHRASE;
+		else
+			r = convert_libcrypto_error();
+		goto out;
+	}
+	r = sshkey_openssl_private_key(type, pk, keyp, 0);
  out:
 	BIO_free(bio);
 	EVP_PKEY_free(pk);
-	sshkey_free(prv);
 	return r;
 }
 #endif /* WITH_OPENSSL */
diff --git a/sshkey.h b/sshkey.h
index 2d8b62497..12af74b56 100644
--- a/sshkey.h
+++ b/sshkey.h
@@ -318,6 +318,11 @@ int ssh_xmss_verify(const struct sshkey *key,
     const u_char *data, size_t datalen, u_int compat);
 #endif
 
+#ifdef WITH_OPENSSL
+int sshkey_openssl_private_key(int type, EVP_PKEY *pk, struct sshkey **keyp,
+			       int external);
+#endif
+
 #if !defined(WITH_OPENSSL)
 # undef RSA
 # undef DSA
-- 
2.26.2
openSUSE Build Service is sponsored by